Category Archives: Azure Networking

Azure IaaS and Azure Stack: announcements and updates (February 2022 – Weeks: 07 and 08)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.

Azure

Compute

Hotpatch for Windows Server virtual machines

You can patch and install updates to your Windows Server virtual machines on Azure without requiring a reboot using hotpatch. This capability is available exclusively as part of Azure Automanage for Windows Server for Windows Server Azure Edition core virtual machines, and comes with the following benefits:

Lower workload impact with less reboots
Faster deployment of updates as the packages are smaller, install faster, and have easier patch orchestration with Azure Update Manager
Better protection, as the Hotpatch update packages are scoped to Windows security updates that install faster without rebooting

Virtual Machine level disk bursting supports additional VM types

Virtual Machine level disk bursting supports M-series, Msv2-series Medium Memory, and Mdsv2-series Medium Memory VM families allowing your virtual machine to burst its disk IO and throughput performance for a short time, daily. This enables VMs to handle unforeseen spiky disk traffic smoothly and process batched jobs with speed. There is no additional cost associated with this new capability or adjustments on the VM pricing and it comes enabled by default.

Automatically delete a VM and its associated resources simultaneously

Automatically delete disks, NICs and Public IPs associated with a VM at the same time you delete the VM. With this feature, you can specify the associated resources that should be automatically deleted when you delete a VM. This will allow you to save time and simplify the VM management process.

Storage

Azure NetApp Files: new region and cross-region replication

Azure NetApp Files is now available in Australia Central 2. Additionally, cross-region replication has been enabled between Australia Central and Australia Central 2 region pair.

Azure NetApp Files: application consistent snapshot tool v5.1 (preview)

Application consistent snapshot tool (AzAcSnap) v5.1 is a command-line tool enables you to simplify data protection for third-party databases (SAP HANA) in Linux environments (for example, SUSE and RHEL).

The public preview of application consistent snapshot tool v5.1 supports the following new capabilities:

Oracle Database support
Backint Co-existence
RunBefore and RunAfter capability

These new features can be used with Azure NetApp Files, Azure BareMetal, and now, Azure Managed Disk.

Networking

Application Gateway mutual authentication

Azure Application Gateway is announcing general availability for transport layer security (TLS) mutual authentication. Mutual authentication allows for two-way TLS certificate-based authentication, which allows both client and server to verify each other’s identity. This release strengthens your zero trust networking posture and enables many connected devices, IoT, business to business, and API security scenarios.

You can upload multiple client certificate authority (CA) certificate chains on the Application Gateway to use for client authentication. You can also choose to enable frontend mutual authentication at a per-listener level on Application Gateway. Microsoft is also adding enhancements to server variables supported on Application Gateway to enable you to pass additional client certificate information to backend as HTTP headers.

With this release Microsoft is also extending support for listener specific TLS policies which allows you to configure predefined or custom TLS policies at a per listener granularity, instead of global TLS policies.

Azure Networking: security services for a Zero Trust approach

There are more and more companies that, in order to sustain the pace dictated by digital transformation and for other specific reasons, undertake a path of adopting cloud solutions and migrating their workloads to the cloud. To ensure that the resources in the cloud environment are secure, it is necessary to adopt a new security model that adapts more effectively to the complexity of the modern environment, contemplating hybrid environments and protecting applications and data no matter where they reside. This article describes some of the key Azure networking security services that help organizations adopt the Zero Trust model, an integrated and proactive approach to security to be applied on different fronts.

The Zero Trust framework developed by Microsoft is based on the following three principles to protect assets:

Verify explicitly. Always authenticate and authorize, taking into consideration different aspects such as: the user identity, location, the status of the device, the service or workload, data classification and anomalies.
Use least privileged access. Restrict user access through: “just-in-time” access (JIT) and “just-enough-access” (JEA), risk-based adaptive policies and data protection.
Assume breach. Minimize exposure and segment accesses by defining granular perimeters. Use end-to-end encryption and scan for: gain visibility, detect threats and improve defenses.

The Zero Trust approach assumes a violation and accepts the reality that bad guys can be anywhere. For this reason, this model recommends checking all access attempts, restrict user access (JIT and JEA) and strengthen asset protection. However, it is important to associate checks on network communications with all these practices, going to segmenting the network into smaller areas and then checking what traffic can flow between them. An approach where network firewalls are implemented exclusively on the perimeter networks, filtering traffic between trusted and untrusted zones becomes limiting for this model. Instead, it is recommended to filter the traffic also between internal networks, hosts and applications.

There are several networking related security services in Azure, described in the following paragraphs, that allow you to filter and control network communications in a granular way, thus supporting the Zero Trust model.

Network Security Group (NSG)

The Network Security Groups (NSG) are the main tool to control network traffic in Azure. Through the rules of deny and permit you can filter communications between different workloads on an Azure virtual network. Furthermore, you can apply filters on communications with systems that reside on-premises, connected to the Azure VNet, or for communications to and from Internet. Network Security Groups (NSG) can be applied on a specific subnet of a Azure VNet or directly on the individual network adapters of Azure virtual machines. NSGs may contain rules with Service Tags, that allow you to group with predefined categories of IP addresses, including those assigned to specific Azure services (ex. AzureMonitor, Appservice, Storage, etc.).

The rules of the Network Security Groups can also be referenced Application Security Groups (ASG). These are groups that contain network adapters of virtual machines on Azure. ASGs allow you to group multiple servers with mnemonic names, useful in particular for dynamic workloads. The Application Security Groups therefore allow you to no longer have to manage the IP addresses of Azure virtual machines in the NSG rules, as long as these IPs are related to VMs attested on the same VNet.

Although there is the option to enable firewall solutions at the guest OS level, Azure NSGs can guarantee protection even if the virtual machine in Azure is compromised. In fact,, an attacker who gains access to the virtual machine and elevates its privileges may be able to disable the firewall on the host. In NSG, being implemented outside the virtual machine, they provide strong guarantees against attacks on the firewalling system on board virtual machines.

Figure 1 - Graphical display of network traffic segregation via NSG

Azure Firewall

Azure Firewall is a network security service, managed and cloud-based, able to protect the resources attested on the Azure Virtual Networks and to centrally govern the related network flows. Furthermore, it has inherent features of high availability and scalability.

Azure Firewall Premium guarantees all the features present in the Azure Firewall Standard tier and in addition adds the following features typical of a next generation firewall.

Figure 2 - Overview of Azure Firewall Premium features

The best practices dictated by the Zero Trust model are to always encrypt data in transit to obtain end-to-end encryption. However, from an operational point of view, often there is a need for greater visibility to apply additional security services to unencrypted data. With the features of Azure Firewall Premium all this is possible. In fact,, the Premium version allows you to obtain an additional level of protection from security threats, through features such as TLS Inspection and IDPS that guarantee greater control of network traffic in order to intercept and block the spread of malware and viruses. For more details regarding the features of Azure Firewall Premium you can consult this article.

DDoS protection

The Zero Trust model aims to authenticate and authorize any component residing on the network. Nevertheless, any system capable of receiving network packets is vulnerable to DDoS attacks, even those that use a Zero Trust architecture. Consequently, It is imperative that any Zero Trust implementation also adopts a DDoS protection solution.

In Azure, DDoS protection is available in two different tiers: Basic oppure Standard.

The protection Basic is enabled by default in the Azure platform, which constantly monitors traffic and applies mitigations to the most common network attacks in real time. This tier provides the same level of protection adopted and tested by Microsoft's online services and is active for Azure Public IP addresses (Pv4 and IPv6). No configuration is required for the Basic tier.

Typology Azure DDoS Protection Standard provides additional mitigation features over the Basic tier, that are specifically optimized for resources located in Azure virtual networks. The protection policies are self-configured and are optimized by carrying out specific monitoring of network traffic and applying machine learning algorithms, that allow you to profile your application in the most appropriate and flexible way by studying the traffic generated. When the thresholds set in the DDoS policy are exceeded, the DDoS mitigation process is automatically started, which is suspended when it falls below the established traffic thresholds. These policies are applied to all Azure public IPs associated with the resources present in the virtual networks, like: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances.

Azure Firewall Manager

The security model Zero Trust directs us to adopt an approach related to micro-segmentation and the definition of granular perimeters in its network architecture. To facilitate this approach, you can use Azure Firewall Manager, a tool that, providing a single centralized control panel, is able to simplify the configuration and management of network security policies, which often need to be deployed across multiple Azure Firewall instances. In addition to the management of Azure Firewall policies, Azure Firewall Manager allows you to associate a DDoS protection plan to virtual networks.

Furthermore, Azure Firewall Manager allows you to use SECaaS offerings (Security as a Service) third parties to protect users' Internet access.

Synergies and recommendations for the use of the various protection services

In order to obtain effective network protection, some recommendations are given that are recommended to be taken into consideration for the use of the various security components related to Azure networking:

Network Security Groups (NSG) and the Azure Firewall are complementary and using them together you get a high degree of defense. The NSGs are recommended to use them to filter traffic between resources residing within a VNet, while the Azure Firewall is useful for providing network and application protection between different Virtual Networks.
To increase the security of Azure PaaS services, it is recommended to use Private link, which can be used in conjunction with Azure Firewall to consolidate and centralize access logs.
In case you want to make a protected application publication (HTTP/S in inbound) it is advisable to use the Web Application Firewall present in Azure Application Delivery solutions, then placing it alongside Azure Firewall. Web Application Firewall (WAF), provides protection from common vulnerabilities and attacks, such as X-Site Scripting and SQL Injection attacks.
Azure Firewall can also be supported by third-party WAF / DDoS solutions.
In addition to Azure Firewall, it is possible to evaluate the adoption of Network Virtual Appliances (NVA's) provided by third-party vendors and available in the Azure marketplace.

All these protection services, suitably configured in a Hub-Spoke network topology allow you to perform a segregation of network traffic, achieving a high level of control and security.

Figure 3 - Example of a Hub-Spoke architecture with the various security services

Furthermore, providing for integration with Azure security services, such as Microsoft Defender for Cloud, Microsoft Sentinel and Azure Log Analytics, it is possible to further optimize the management of security postures and the protection of workloads.

Conclusions

The security model defined Zero trust by analysts at Forrester Research is now an imperative for the protection of their environments. Azure provides a wide range of services that allow you to achieve high levels of security, acting on different fronts to support this model. To face this process of adopting the Zero Trust model, a winning strategy in Azure networking can be obtained by applying a mix-and-match of the different network security services to have protection on multiple levels.

Azure IaaS and Azure Stack: announcements and updates (February 2022 – Weeks: 05 and 06)

Azure

Compute

Deployment enhancements for SQL Server on Azure Virtual Machines

A great update to our Azure Marketplace image with SQL is you can now configure the instance during deployment. Most companies have standards for their SQL instances and can now make configuration changes during deployment vs keeping the preconfigured image settings. Items like moving the system database to a data disk, configuring tempdb data and log files, configuring the amount of memory and more. During SQL VM deployment under SQL Server Settings, you have the options to change the defaults by clicking Change Configuration for storage or Change SQL Instance settings for customizing memory limits, collation, and ad hoc workloads.

Networking

New Azure Firewall capabilities

New Azure Firewall capabilities are available:

Azure Firewall network rule name logging: previously, the event of a network rule hit would show the source, destination IP/port, and the action, allow or deny. With the new functionality, the event logs for network rules will also contain the policy name, Rule Collection Group, Rule Collection, and the rule name hit.
Azure Firewall premium performance boost: this feature increases the maximum throughput of the Azure Firewall Premium by more than 300 percent (to 100Gbps).
Performance whitepaper: to provide customers with a better visibility into the expected performance of Azure Firewall, Microsoft is releasing the Azure Firewall Performance documentation.

Azure Bastion now supports file transfer via the native client (preview)

With the new Azure Bastion native client support in public preview and included in Standard SKU, you can now:

Use either SSH or RDP to upload files to a VM from your local computer.
Use RDP to download files from a VM to your local computer.

Custom virtual network support in Azure Container Apps (preview)

You can now create Azure Container Apps environments into new or existing virtual networks. This enables Container Apps to receive private IP addresses, maintain outbound internet connectivity, and communicate privately with other resources on the same virtual network.

Azure IaaS and Azure Stack: announcements and updates (January 2022 – Weeks: 03 and 04)

Azure

Storage

Azure NetApp Files: new features

New features are constantly added to Azure NetApp Files and previously released preview features are moved into general availability. The following capabilities have recently received general availability status and no longer need registration for use:

The following new features have been added in public preview :

Regional coverage continues to expand, and Azure NetApp Files is now generally available in:

East Asia
Switzerland North
Switzerland West
West US 3

Feature regional coverage continues to expand as well for cross-region replication, cross region replication region pair additions:

West US 3 <-> East US
Southeast Asia <-> East Asia
Switzerland North <-> Switzerland West
UsGov Virginia <-> UsGov Texas
UsGov Arizona <-> UsGov Texas
UsGov Virginia <-> UsGov Arizona

Azure IaaS and Azure Stack: announcements and updates (January 2022 – Weeks: 01 and 02)

Azure

Compute

Price reductions for Azure confidential computing

Microsoft is announcing a price reduction on the DCsv2 and DCsv3-series VMs by up to 33%. The price reduction enables the data protection benefits of ACC with no premium compared to general purpose VMs on a per physical core basis. New prices took effect on 1/1/2022. If you are already using DCsv2 and DCsv3-series VMs prior to 1/1/2022, you will see the price reduction in your next bill.

Storage

Azure Ultra Disk Storage is available in West US 3

Azure Ultra Disk Storage is now available in West US 3. Azure Ultra Disks offer high throughput, high IOPS, and consistent low latency disk storage for Azure virtual machines (VMs). Ultra Disks are suited for data-intensive workloads such as SAP HANA, top tier databases, and transaction-heavy workloads.

Networking

Multiple custom BGP APIPA addresses for active VPN gateways

All SKUs of active-active VPN gateways now support multiple custom BGP APIPA addresses for each instance. Automatic Private IP Addressing (APIPA) addresses are commonly used as the BGP IP addresses for VPN connectivity. In addition to many on-premises VPN devices requiring multiple custom APIPA addresses for BGP, this feature enables BGP connections to Amazon Web Services (AWS) and other cloud providers.

Load Balancer SKU upgrade through PowerShell script

You can now upgrade your Azure Load Balancer from Basic SKU to Standard SKU by using a PowerShell script. By upgrading to Standard SKU, the Load Balancer enables the network layer traffic to drive higher performance and stronger resiliency, along with an improved integration experience with other Azure services. The PowerShell script creates the Standard SKU Load Balancer with the same configurations as the Basic Load Balancer. In addition, the script migrates the backend resources to the Standard Load Balancer for you.

Azure Traffic Manager: additional IP addresses for endpoint monitoring service

Traffic Manager uses a probing mechanism to evaluate your application endpoints. To enhance the capacity of our probing plane, Microsoft will be increasing the number of probes deployed within Traffic Manager’s endpoint monitoring service over the next few years to continue to mitigate the large amount of growth. Your applications will see an increase in number of health probes and some of these probes may originate from new IP addresses. These changes will start to go live on 21st January 2022 at 20:00 UTC.

Recommended action: if you use a network access control mechanism (e.g., Azure Firewall or Network Security Groups) and are not using Service Tags (AzureTrafficManager), please continue checking this updated list of IP addresses each Wednesday, until further notice, to ensure you allow incoming traffic from these new IP addresses. Failure to do so may cause some Traffic Manager health probes for the application endpoints to fail and may result in misrouting of traffic. No action is required access control isn’t used or network access control is utilized with AzureTrafficManager service tags.

Azure Networking: how to extend an on-premises network to Azure with private connectivity

When you decide to undertake a strategy based on a hybrid cloud, that combines on-premises IT resources with public cloud resources and services, it is advisable to carefully consider how to connect your local network with the virtual networks present in the public cloud. In Azure one option is to use ExpressRoute, a private and dedicated connection that takes place through a third-party connectivity provider. This article describes possible network architectures with ExpressRoute, together with a series of precautions to be taken into consideration for a successful deployment.

Very often a Site-to-site VPN is used to establish connectivity between the on-premise resources and the resources in Azure environment attested on the Virtual Networks. This type of connectivity is ideal for the following use cases:

Development environments, test, laboratories, but also production workloads where the resources located in the Azure environment do not use the connectivity to the on-premises environment intensively and strategically and vice versa.
When you have an acceptable tolerance for bandwidth and speed in the hybrid connection.

There are some use cases, however, where ExpressRoute should be configured, according to Microsoft best practices, to ensure bidirectional connectivity between the on-premise network and virtual networks (vNet) of Azure of the customer. In fact,, ExpressRoute is suitable for the following use cases:

If high speed requirements are to be met, connection with low latency and high availability / resilience.
In the presence of mission-critical workloads that use hybrid connectivity.

What is ExpressRoute?

Thanks to ExpressRoute it is possible to activate a dedicated private connection, provided by a third party connectivity provider, to extend the on-premises network to Azure. ExpressRoute connections do not go through the public internet. In this way they can offer a higher level of security, greater reliability, faster speeds and consistent latencies than traditional internet connections.

Figure 1 - ExpressRoute logic diagram

ExpressRoute connections enable access to the following services:

Microsoft Azure services (scenario covered in this article).
Services of Microsoft 365. Microsoft 365 it has been designed to be accessed securely and reliably over the Internet. For this reason it is recommended that you use ExpressRoute with Microsoft 365 only in certain scenarios, as described in this Microsoft article.

It is possible to create an ExpressRoute connection between the local network and the Microsoft cloud via four different modes:

Figure 2 - ExpressRoute connectivity models

Connectivity providers can offer one or more connectivity models and you can choose the most appropriate model for your connectivity needs.

Reference architectures

The following reference architecture shows how you can connect your on-premises network to virtual networks in Azure, using Azure ExpressRoute.

Figure 3 - Reference architecture to extend a local network with ExpressRoute

The architecture will consist of the following components.

On-premises corporate network (“On-premises network” in the schema). This is the Customer's private local network.
Local Edge Routers. These are the routers that connect the local network to the circuit managed by the provider.
ExpressRoute Circuit. It is a circuit layer 2 or layer 3, provided by the connectivity provider, which joins the local network to Azure via edge router. The circuit uses the hardware infrastructure managed by the connectivity provider.
Edge router Microsoft. These are routers in an active-active high availability configuration. These routers allow the connectivity provider to connect their circuits directly to the data center.
Virtual network gateway (ExpressRoute). The ExpressRoute virtual network gateway enables the virtual network (VNet) Azure to connect to the ExpressRoute circuit used for connectivity with the local network.
Azure virtual networks (VNet). Virtual networks residing in an Azure region.

In the architecture described above, ExpressRoute will be used as the primary connectivity channel to connect the on-premises network to Azure.

Furthermore, it is possible to use a site-to-site VPN connection as a source of backup connectivity to improve connectivity resilience. In this case, the reference architecture will be the following:

Figure 4 - Reference architecture to use both ExpressRoute and a site-to-site VPN connection

In this scenario they are expected, in addition to the architectural components described above, the following components:

Appliance VPN on-premises. A device or service that provides external connectivity to the local network. The VPN appliance can be a hardware device or a supported software solution for connecting to Azure.
Virtual network gateway (VPN). The VPN virtual network gateway allows the virtual network to connect to the VPN appliance present in the local network.
VPN connection. The connection has properties that specify the type of connection (IPSec) and the key shared with the local VPN appliance to encrypt the traffic.

How to monitor ExpressRoute

To allow you to monitor network resources in the presence of ExpressRoute connectivity, you can use the Azure Monitor platform tool, through which you can check availability, performance, the use and operation of this connectivity.

A screenshot of the solution is shown as an example.

Figure 5 – ExpressRoute circuit monitor via Azure Monitor

This solution will provide a detailed topology mapping of all ExpressRoute components (peering, connections, gateway) in relation to each other. The detailed network information for ExpressRoute will include a dashboard through which the metrics can be consulted, the actual speed, any drop of network packets and gateway metrics.

As an example, a dashboard screen showing the total throughput of inbound and outbound traffic for the ExpressRoute circuit is shown (expressed in bits / second). Furthermore, you can view the throughput for individual connections.

Figure 6 - Metrics relating to the Throughput of ExpressRoute connections

For more details you can refer to the Microsoft official documentation on how to make the ExpressRoute monitor.

Security Considerations

Microsoft in the security baselines for ExpressRoute, refer to the Azure Security Benchmark version 1.0, the Azure-specific set of guidelines created by Microsoft, provides several indications that are recommended to be followed. Among the main ones that should be adopted we find:

Definition and implementation of standard security configurations for Azure ExpressRoute using Azure Policy.
Use of tags for Azure ExpressRoute components in order to provide metadata and a logical and structured organization of resources.
Locking to prevent accidental deletion or unwanted modification of Azure components related to ExpressRoute configuration.
Using Azure Platform Tools to Monitor Network Resource Configurations and Detect Network Resource Changes of ExpressRoute Connections. Creating Alerts in Azure Monitor to be generated when changes are made to critical resources.
Configure centralized collection of Activity Logs for ExpressRoute components.

Conclusions

ExpressRoute offers a fast and reliable connection to Azure with bandwidths that can reach up to 100 Gbps. It is therefore an ideal option for specific scenarios such as periodic data migration, replication for business continuity purposes, the disaster recovery, and the activation of high availability strategies. Thanks to ExpressRoute's fast speed and low latency times, Azure will feel like a natural extension of your data centers. In this way, it is possible to take advantage of the scalability and innovation of the public cloud without compromising in terms of network performance.

Azure IaaS and Azure Stack: announcements and updates (December 2021 – Weeks: 51 and 52)

In the past two weeks, Microsoft hasn’t made any major announcements regarding these topics. However, here are some links to interesting videos made by John Savill, Principal Cloud Solution Architect at Microsoft:

I take this opportunity to wish you happy holidays and happy New Year!

Azure IaaS and Azure Stack: announcements and updates (December 2021 – Weeks: 49 and 50)

Azure

Compute

Virtual Machine restore points (preview)

Public preview of VM restore point is available, a new resource that stores VM configuration and a point-in-time snapshot of one or more managed disks attached to a VM. VM restore points supports multi-disk application consistent snapshots and can be leveraged to easily capture backups of your VM and disks. You can easily restore the VM using VM restore points in cases of data loss, corruption, or disasters. Microsoft is also introducing a new Azure Resource Manager (ARM) resource called Restore Point Collection, which will act as a container for all the restore points of a specific VM.

Placement polices for Azure VMware Solution

Placement policies are used to define constraints for running virtual machines in the Azure VMware Solution Software-Defined Data Center (SDDC). These constraints allow the you to decide where and how the virtual machines should run within the SDDC clusters. Placement polices are used to support performance optimization of virtual machines (VMs) through policy, and help mitigate the impact of maintenance operations to policies within the SDDC cluster.

Storage

Secure access to storage account from a virtual network/subnet in any region (preview)

You can secure access to your storage account by enabling a service endpoint for Storage in the subnet and configuring a virtual network rule for that subnet through the Azure storage firewall. You can now configure your storage account to allow access from virtual networks and subnets in any Azure region. By default, service endpoints enable connectivity from a virtual network to a storage account in the same Azure region as the virtual network or it’s paired Azure region. This preview enables you to register your subnet to allow service endpoint connectivity to storage accounts in any Azure region across the globe.

Attribute-based Access Control (ABAC) conditions with principal attributes (preview)

Attribute-based access control (ABAC) is an authorization strategy that defines access levels based on attributes associated with security principals, resources, requests, and the environment. Azure ABAC builds on role-based access control (RBAC) by adding conditions to Azure role assignments expressed as a predicate using these attributes. This update to the preview enables the use of Azure AD custom security attributes for principals in role assignment conditions. You can now use combine principal attributes with resource and request attributes in your condition expressions.

Soft delete for blobs capability for Azure Data Lake Storage

Soft delete for blobs capability for Azure Data Lake Storage is now generally available. This feature protects files and directories from accidental deletes by retaining the deleted data in the system for a specified period of time. During the retention period, you can restore a soft-deleted object, i.e. file or directory, to its state at the time it was deleted. After the retention period has expired, the object is permanently deleted. All soft deleted files and directories are billed at the same rate as active ones until the retention period has expired.

Azure Stack

Azure Stack HCI

Windows Server guest licensing offer for Azure Stack HCI (preview)

To facilitate guest licensing for Azure Stack HCI customers, we are pleased to announce a new offer that brings simplicity and more flexibility for licensing. The new Windows Server subscription for Azure Stack HCI is available in public preview as of December 14, 2021. This offer will allow you to purchase unlimited Windows Server guest licenses for your Azure Stack HCI cluster through your Azure subscription. You can sign up and cancel anytime and preview pricing is $0 until general availability (GA). At GA, the offer will be charged at $23.60 per physical core per month. This offer simplifies billing through an all-in-one place Azure subscription and in some cases will be less expensive for customers than the traditional licensing model.

Azure IaaS and Azure Stack: announcements and updates (December 2021 – Weeks: 47 and 48)

Azure

Compute

West Central US: Microsoft expands cloud services with two new datacenters in Wyoming

Microsoft is announcing the launch of two new Microsoft datacenters in Cheyenne – Wyoming, one in Cheyenne Business Parkway and another in Bison Business Park, enabling to expand and support the growth and demand for digital services in West Central US datacenter region. Cheyenne has been home to Microsoft’s cloud infrastructure services since 2012 and this expansion will enable us to continue providing services to current and new customers.

New Azure Virtual Machines DCasv5 and ECasv5-series (preview)

Azure DCasv5/ECasv5 confidential virtual machines (VMs) powered by 3rd Gen AMD EPYC™ processors with SEV-SNP are available in preview.

SQL Server IaaS Agent extension for Linux SQL VMs

Microsoft is making the capabilities of SQL Server IaaS Agent extension available to Linux platforms, starting with Ubuntu with plans for other distributions in time.

If you are already running SQL Server on Azure using an Ubuntu Linux Virtual Machine, the SQL Server IaaS Agent extension now enables you to leverage integration with the Azure portal and unlocks the following benefits for SQL Server on Linux Azure VMs:

Compliance: The extension offers a simplified method to fulfill the requirement of notifying Microsoft that the Azure Hybrid Benefit has been enabled as is specified in the product terms. This process negates needing to manage licensing registration forms for each resource.
Simplified license management: The extension simplifies SQL Server license management, and allows you to quickly identify SQL Server VMs with the Azure Hybrid Benefit enabled using the Azure portal, Azure PowerShell, or the Azure CLI.

IaaS Agent extension full mode no restart for SQL VMs

You can now enable the full mode of SQL Server IaaS Agent extension with no restart, giving you access to more manageability features for SQL Server on Azure Virtual Machines without interruption to your workloads. Previously, you had to restart the SQL Server services to enable these features. The full mode of SQL Server IaaS Agent extension unlocks many benefits such as Automated Backup, Automated Patching, Storage Optimization, and more, along with license management that comes with lightweight mode.

Storage

Azure File Sync: new agent released

The Azure File Sync agent v14.1 is available. Issue that is fixed in the v14.1 release:

Tiered files deleted on Windows Server 2022 are not detected by cloud tiering filter driver. This issue can also impact Windows 2016 and Windows Server 2019 if a tiered file is deleted using the FILE_DISPOSITION_INFORMATION_EX class.

To obtain and install this update, configure your Azure File Sync agent to automatically update when a new version becomes available or manually download the update from the Microsoft Update Catalog.

More information about this release:

This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations.
A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
The agent version for this release is 14.1.0.0.
Installation instructions are documented in KB5001873.

Azure NetApp Files application volume group for SAP HANA (preview)

Application volume group (AVG) for SAP HANA enables you to deploy all volumes required to install and operate an SAP HANA database according to best practices in a single one-step and optimized workflow. The application volume group feature includes the use of proximity placement group (PPG) with VMs to achieve automated, low-latency deployments. Application volume group for SAP HANA has implemented many technical improvements that simplify and standardize the entire process to help you streamline volume deployments for SAP HANA. Instead of creating the SAP HANA volumes (data, log, shared, log-backup, file-backup) individually, the new application volume group for SAP HANA creates these volumes in a single ‘atomic’ operation (GUI, RP, API).

Networking

VPN Gateway NAT

Azure VPN NAT (Network Address Translation) supports overlapping address spaces between your on-premises branch networks and your Azure Virtual Networks. NAT can also enable business-to-business connectivity where address spaces are managed by different organizations and re-numbering networks is not possible. VPN NAT provides support for 1:1 Static NAT and 1-to-many dynamic NAT.

Wildcard listener on Application Gateways

Azure Application Gateway now supports the use of wildcard characters such as asterisk (*) and question mark (?) for hostnames on a multi-site HTTP(S) listener. You can now route requests from multiple host-names such as shop.contoso.com, accounts.contoso.com, pay.contoso.com to the same backend pool through a single listener configured with a wildcard hostname such as *.contoso.com.

Azure IaaS and Azure Stack: announcements and updates (November 2021 – Weeks: 45 and 46)

Azure

Compute

Virtual machines selector now generally available

Microsoft want to simplify the process required for you to identify the right VM based on your needs and budget. To that end, virtual machines selector is a web-based tool localized in 26 languages and available worldwide. Using the virtual machines selector you can specify your requirements, such as the category of workload you plan to run in Azure, and the technical specifications of your VM (e.g., OS disks storage options, data disks storage performance, Operating System, deployment region, etc.). After a few simple steps, the tool identifies the best VM and disk storage combination based on the information you enter. You will then be able to view the details of the recommended VMs and their prices. You can then add the selected VMs to the pricing calculator to perform a more comprehensive cost analysis.

New cloud region in Sweden

The new sustainable datacenter region in Sweden, with presence in Gävle, Sandviken and Staffanstorp is available. It includes Azure Availability Zones, which offer you additional resiliency for your applications by designing the region with unique physical datacenter locations with independent power, network, and cooling for additional tolerance to datacenter failures.

Azure VMware Solution now generally available in the France Central Azure Region and in Japan West Azure Region

Azure VMware Solution has expanded availability to Japan West and to France Central. With this release Japan West is now the second region within the Japan sovereign area to become available (joining Japan East).

SQL Server on Azure Virtual Machines: Multi subnet high availability

You can now simplify your SQL Server on Azure Virtual Machines high availability and disaster recovery configuration by deploying virtual machines in multiple subnets, eliminating the need for an Azure Load Balancer. Multi subnet configuration natively helps you match on-premises experience for connecting to your availability group listener or SQL Server failover cluster instance. Additionally, this feature doesn’t have any limitations on unique port or feature interoperability considerations like distributed network name (DNN) for availability group and failover cluster instance. Multi subnet configuration is natively supported by all versions of SQL Server and Windows Server Failover Cluster to simplify deployment, maintenance and improve failover time.

Azure Virtual Machines DCv3-series now available in Europe West and North (preview)

Announcing public preview expansion of the DCv3-series VMs to Europe West and North.

Storage

SFTP support for Azure Blob Storage (preview)

Starting today, SSH File Transfer Protocol (SFTP) support for Azure Blob Storage is available for public preview in select regions. Azure Blob Storage is the only storage platform that supports SFTP over object storage natively in a serverless fashion, enabling you to leverage object storage economics and features. With multi-protocol support, you can run your applications on a single storage platform with no application rewrites necessary, therefore eliminating data silos.

NFSv4.1 support on Azure Files

Azure Files support for NFS v4.1 on premium tier for both locally-redundant storage and zone-redundant storage is available. Now you can deploy these fully POSIX compliant, distributed NFS file shares in your production environments for a wide variety of Linux and container based workloads. Some example workloads include: highly available SAP application layer, enterprise messaging, user home directories, custom line-of-business applications, database backups, database replication, and devops pipelines. NFS 4.1 is available in all regions where the premium tier of Azure Files exists.

Azure Archive rehydration priority update

Azure Archive Storage provides a secure, low-cost means for retaining cold data, including backups and archival storage. Data stored in Archive Storage is offline and unavailable for read access until it is rehydrated to the hot or cool tier. You can choose to rehydrate data with standard or high priority, depending on the urgency of the retrieval request. Previously, it was not possible to change the retrieval priority after initiating a rehydration operation; priority had to be determined in advance, and there was no flexibility to update the priority if the retrieval urgency subsequently changed.

Archive Storage now supports updating the retrieval priority from standard to high while a rehydration operation is pending. You can simplify rehydration management and improve cost efficiency by initiating the rehydration operation with standard priority for a set of blobs, then updating the priority to high for any blobs that require faster retrieval.

Networking

VPN Gateways: increased connection limit

The max number of Site-to-Site/VNet-to-VNet connections on a VPN Gateway has been increased from 30 to 100 tunnels for SKUs VpnGw4, VpnGw5, VpnGw4AZ, and VpnGw5AZ.
This change does not affect legacy gateways with the High Performance SKU.

Azure Bastion: new features available with Standard SKU (preview)

With the new Azure Bastion native client support you can:

Connect to your target Azure virtual machine via Azure Bastion using Azure CLI and a native client on your local Windows machine
Log into Azure Active Directory-joined virtual machines using your Azure Active Directory credentials

Also, with the new Azure Bastion IP based connection capability you can now connect to any target resource reachable from your Bastion using its private IP address. This includes any reachable resources hosted on-premises or in other clouds, allowing you to achieve more secure global remote connectivity with Azure Bastion.

ExpressRoute now supports Azure Virtual Desktop Shortpath RDP over Private Peering

ExpressRoute Private Peering now supports Azure Virtual Desktop RDP Shortpath. After establishing the reverse connect transport, the client and session host starts the RDP connection. With RDP Shortpath configured, the client will require a direct connectivity with the session host to establish a secure TLS connection. You can leverage ExpressRoute Private peering to setup the direct connection to support RDP Shortpath.